ruby.git/ext/openssl, branch v3_4_9 The Ruby Programming Language Update openssl gem to 3.3.1 for Ruby 3.4 (#14792) 2025-10-09T14:32:47+00:00 Bo Anderson mail@boanderson.me 2025-10-09T14:32:47+00:00 fce44db5eb7baf1ddd2238254c3cf617fcfd1112 Update openssl gem to 3.3.1 [Backport #21631] 
Update openssl gem to 3.3.1

[Backport #21631]
 [ruby/openssl] [ruby/openssl] Run `have_func` with the header providing the declarations 2025-07-15T16:23:42+00:00 Nobuyoshi Nakada nobu@ruby-lang.org 2025-07-01T08:38:25+00:00 05a7d345ce0cc6fc5c55a4df0e633b145c3e6316 https://github.com/ruby/openssl/commit/b6f56c4540 https://github.com/ruby/openssl/commit/5277ca1431 
https://github.com/ruby/openssl/commit/b6f56c4540

https://github.com/ruby/openssl/commit/5277ca1431
[ruby/openssl] Ruby/OpenSSL 3.3.0 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-18T14:04:35+00:00 9e3e1c7fc9dddb61de4867ad786e86958d11b33c https://github.com/ruby/openssl/commit/e5153dbbb4 
https://github.com/ruby/openssl/commit/e5153dbbb4
[ruby/openssl] digest: remove optional parameter from OpenSSL::Digest#finish 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-10T16:42:57+00:00 486246209777ca36cd7d2620368c5b455f113910 OpenSSL::Digest#finish overrides Digest::Instance#finish and is called from the Digest::Class framework in the digest library. This method is not supposed to take any arguments, as suggested by the RDoc comment for Digest::Instance#finish. It is a private method and not exposed to users. Let's remove it. This optional parameter exists since r15602 in Ruby trunk, the commit which converted OpenSSL::Digest to a subclass of Digest::Class. https://github.com/ruby/openssl/commit/dcb2a4f30b 
OpenSSL::Digest#finish overrides Digest::Instance#finish and is called
from the Digest::Class framework in the digest library. This method is
not supposed to take any arguments, as suggested by the RDoc comment for
Digest::Instance#finish.

It is a private method and not exposed to users. Let's remove it.

This optional parameter exists since r15602 in Ruby trunk, the commit
which converted OpenSSL::Digest to a subclass of Digest::Class.

https://github.com/ruby/openssl/commit/dcb2a4f30b
[ruby/openssl] digest: make output buffer String independent in #finish 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-10T15:59:37+00:00 9de2b407d7034b81963f8c5663233d353356d6cc Likewise, OpenSSL::Digest#finish needs to make the output buffer independent before writing to it. https://github.com/ruby/openssl/commit/9cc8a83466 
Likewise, OpenSSL::Digest#finish needs to make the output buffer
independent before writing to it.

https://github.com/ruby/openssl/commit/9cc8a83466
[ruby/openssl] cipher: make output buffer String independent 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-10T14:06:00+00:00 637f019f1f7611ba41f761a1b17e4228661d0a5b OpenSSL::Cipher#update accepts a String as the second argument to be used as the output buffer. The buffer must be directly writable, in other words, it must not be frozen and not a shared string. rb_str_resize() does not make the String independent if the String already has the intended length. Use the rb_str_modify() family instead to check it. Fixes: https://bugs.ruby-lang.org/issues/20937 https://github.com/ruby/openssl/commit/1de3b80a46 
OpenSSL::Cipher#update accepts a String as the second argument to be
used as the output buffer. The buffer must be directly writable, in
other words, it must not be frozen and not a shared string.

rb_str_resize() does not make the String independent if the String
already has the intended length. Use the rb_str_modify() family instead
to check it.

Fixes: https://bugs.ruby-lang.org/issues/20937

https://github.com/ruby/openssl/commit/1de3b80a46
[ruby/openssl] pkcs12: add PKCS12#set_mac 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-03T10:40:07+00:00 c79b4354074742ca1cbbb25a4f04bbffeb58407d Add a binding for PKCS12_set_mac() to set MAC parameters and (re-)calculate MAC for the content. This allows generating PKCS #12 with consistent MAC parameters with different OpenSSL versions. OpenSSL 3.0 changed the default hash function used for HMAC and the KDF from SHA-1 to SHA-256. Fixes: https://github.com/ruby/openssl/issues/772 https://github.com/ruby/openssl/commit/f5ed2a74b6 
Add a binding for PKCS12_set_mac() to set MAC parameters and
(re-)calculate MAC for the content.

This allows generating PKCS #12 with consistent MAC parameters with
different OpenSSL versions. OpenSSL 3.0 changed the default hash
function used for HMAC and the KDF from SHA-1 to SHA-256.

Fixes: https://github.com/ruby/openssl/issues/772

https://github.com/ruby/openssl/commit/f5ed2a74b6
[ruby/openssl] ssl: do not clear existing SSL options in SSLContext#set_params 2024-12-07T08:15:08+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T18:01:54+00:00 c9bbf7e3eba9d42983d89b07273f4f31e9ca8d0e Apply SSL options set in DEFAULT_PARAMS without clearing existing options. It currently clears options in order to avoid setting one of the options included in OpenSSL::SSL::OP_ALL unless explicitly specified, namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is no longer necessary. https://github.com/ruby/openssl/commit/77c3db2d65 
Apply SSL options set in DEFAULT_PARAMS without clearing existing
options.

It currently clears options in order to avoid setting one of the
options included in OpenSSL::SSL::OP_ALL unless explicitly specified,
namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that
OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is
no longer necessary.

https://github.com/ruby/openssl/commit/77c3db2d65
[ruby/openssl] ssl: do not enable OpenSSL::SSL::OP_ALL by default 2024-12-07T08:15:08+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T17:29:46+00:00 510c190739b83cfa4fdb56e9d9c0578af25c9c6a Respect the SSL options set by default by SSL_CTX() and by the system-wide OpenSSL configuration file. OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL on top of the default SSL options. Let's stop doing it. OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior to workaround various TLS implementation bugs. Using it is considered usually safe, but is not completely harmless. https://github.com/ruby/openssl/commit/00bec0d905 
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.

OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.

OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.

https://github.com/ruby/openssl/commit/00bec0d905
[ruby/openssl] ssl: improve documentation of SSLContext#options= 2024-12-07T08:15:07+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T17:26:18+00:00 33196b7ab007c82ebd3fa3759850b1ddc10d50ef https://github.com/ruby/openssl/commit/9120fcde6a 
https://github.com/ruby/openssl/commit/9120fcde6a